Proxy Auth

Problem this snippet solves:

Provides Authentication offload onto an service such as LDAP.

How to use this snippet:

For the purposes of testing this example I'm using a Universal persistence based on the user that has been authenticated. In reality it would be better to combine this rule with the proxy node hashing iRule elsewhere on DevCentral.

Code :

when CLIENT_ACCEPTED {
   set authinsck 0
   set asid [AUTH::start pam _sys_auth_ldap]
}

when HTTP_REQUEST {
   set ProxyAuth [b64decode [substr "[HTTP::header values Proxy-Authorization]" 7 "\}"]]
   set ProxyUser [getfield $ProxyAuth ":" 1]
   set ProxyPass [getfield $ProxyAuth ":" 2]
   set ProxyUserIP [IP::client_addr]
   log local0. "ProxyUser: $ProxyUser ProxyUserIP: $ProxyUserIP"
   AUTH::username_credential $asid $ProxyUser
   AUTH::password_credential $asid $ProxyPass
   AUTH::authenticate $asid
   HTTP::collect
   HTTP::header insert X-Authenticated-User $ProxyUser
   HTTP::header insert X-Forwarded-For $ProxyUserIP
   persist uie $ProxyUser
}

when HTTP_RESPONSE {
   persist add uie $ProxyUser 3600
}

when AUTH_SUCCESS {
   if {$asid eq [AUTH::last_event_session_id]} {
      set authinsck 1
      HTTP::release
   }
}

when AUTH_FAILURE {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
   }
}

when AUTH_WANTCREDENTIAL {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
   }
}

when AUTH_ERROR {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407
   }
}
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment